As we begin 2023, reflecting on what the year might have in store is timely. Last year, our PSA Certified ecosystem predicted that there would be a strengthening in IoT regulation, as well as the growth of pre-certified components – both became prominent parts of the IoT security story as we closed out the year.
As we know, security never sleeps. And while IoT continues to grow dramatically across various sectors, including healthcare, logistics and consumer electronics – the IoT technology ecosystem is proactively making strides to make the World more secure.
So, it’s with that in mind that our experts have pulled together their predictions for the year ahead in IoT security. Let’s take a look.
#1: The Industry Will Get Ready for Regulation
Governments around the World now recognize the threat insecure devices represent to their digital economies and, as a result, are introducing new cybersecurity regulations. In 2023, some of these regulations will become more precise, and manufacturers will need to prepare.
The right kind of regulation can help improve the security of connected products, build public trust in them, and thereby enlarge the potential market for such products. PSA Certified has long been supporting the ecosystem proactively prepare for regulation, and we’re looking forward to collaborating with governments and standards bodies.
The European Cyber Resilience Act is an example of the need for proactive preparation for potential regulations. One of the motivations behind Arm’s leadership in establishing PSA Certified was to create an evaluation scheme tailored to connected devices in anticipation of regulations like this. PSA Certified Level 1 is based on an analysis of IoT threat models, outlined in the PSA Certified 10 Security goals and best practices, to assist companies in implementing appropriate security measures in their product development. The aim was to have a system that was specifically suited for evaluating the security of connected devices.
The Internet of Things security framework is enforcing in different industries: from Consumer, MedTech, Automotive to the Industrial domain.New cybersecurity regulations are under development, like Radio Equipment Directive (RED) with cybersecurity requirements for connected devices and the upcoming Cyber Resilience Act in Europe. 2023 will be another interesting year in terms of the international standard framework and will undoubtedly raise awareness and the adoption of third-party security evaluations.
#2: The Use of the Root of Trust in Devices Will Continue to Soar (With PSA-RoT Being the Most Common Implementation).
Increasingly, we are seeing consumers and businesses look for devices built on solid security credentials and are beginning to mandate building on the Root of Trust (RoT). Our report found that trusted components were growing in importance with IoT decision-makers. In fact, of those surveyed, 68% recognized trusted components as essential options for creating secure devices.
During 2022, we were already seeing that a RoT built into the silicon, containing all the critical security features, will become a necessity in many areas of standards, compliance, and regulation and is seen as the starting point for devices built from the ground up with secure components. Notably, the RoT adoption rates are even higher in critical markets such as health monitoring (78%) and industrial (78%), where protecting data and individuals is a vital priority.
As we head to a turning point in IoT security, we anticipate that dependence on the RoT will grow exponentially as the ecosystem looks to establish trust at all stages along the value chain. The desire to build IoT security and a RoT will be prevalent at every step of the product design cycle. Entities will seek to use the RoT and critical functions in software and end-products or devices. Third-party security labs and independent testing will look for the RoT to verify trusted components.
With the increasing demand for IoT devices in both industry and everyday life, various countries pay more and more attention to the security of IoT devices, putting forward some mandatory security requirements for IoT products. Thus, ensuring the security of facilities and meeting the security demand becomes a huge challenge for IoT device manufacturers, who have transferred from the traditional industry to IoT industry. PSA RoT design provides basic security capabilities from the chip layer. Properly using PSA Certified chips in IoT devices can help equipment manufacturers conveniently meet the basic security requirements of various countries on IoT devices, which is also one of the original intentions of PSA Certified. And for 2023, PSA Certified will continue to provide excellent services for chip and IoT equipment manufacturers and continue contributing to a healthier IoT industry.
#3: Matter Will Begin to Improve Device Interoperability and Encourage Mass Adoption of IoT, Creating a Pull for Connectivity and Security.
Interoperability is going to be a huge focus in 2023, and Matter sits right at the heart of many of the important developments we expect to see.
The Matter protocol allows smart home devices from different manufacturers and ecosystems to communicate with one another. If a light bulb is Matter-certified, it can share information such as its on/off status, dimming capabilities, and color with other Matter devices. Matter uses Bluetooth Low Energy for initial setup through a QR code and Wi-Fi for high-data-rate connectivity, while Thread is used for low-data-rate communication. This will be a crucially important standard for the intelligent home driving uptake through increased functionality for low-level devices like lighting and electrical, HVAC controls, window coverings and shades, security sensors, door locks, and media devices.
Matter will drive a new wave of opportunities and increase the importance of data security for connected devices.
In 2023 we will continue to see OEMs designing ever more connected products with increased functionality based on the latest releases of BLE and Wi-Fi devices. We expect continued implementation of new application layers like Matter to simplify designs and improve customer experiences. These solutions will need to be more robust and align with security standards and regulations to deter cyber criminals. Silicon manufacturers will deliver more products designed with security in mind to meet the needs of OEMs and end users.
#4: The Ecosystem Will Pull on its Supply Chain to Make Security Simpler.
As regulations related to IoT security come into effect, OEMs and ODMs are increasingly pushing their supply chain for trusted and reliable components. This is because these regulations often require that devices meet stringent security standards, and using certified components can help ensure compliance. With this change ahead of us, OEMs and ODMs are not only validating their own devices but also requiring that their parts have been thoroughly tested and validated for security with a proven track record of performance.
It’s no surprise that we’ve seen a rise in OEMs and ODMs achieving PSA Certified Level 1 (including new certifications from Scalys, Arcelik, Asus IoT, AAEON, Arduino Pro, Arrows and SDT), while reusing component certifications from silicon vendors and software vendors.
In 2023 we will see chip vendors moving from PSA Certified Level 1, to PSA Certified Level 2 or PSA Certified Level 3 evaluations. At the same time, more device manufacturers will leverage on the certified chip and PSA-RoT getting ready for the upcoming regulations. Re-usability will be the key for the efficiency of the security demand and adoption at multiple levels.
#5: Proactive Security Will Continue to be a Primary Concern for OEMs and ODMs
Building on the above, it’s clear that security is no longer a minor consideration in IoT strategy. Our report found that 88% place security as a top 3 priority for their business. It must be at the forefront of any plans, whether you are purchasing devices or creating them yourself.
The need for universally recognized, thoroughly evaluated security measures has been recognized within the industry, as there is a widespread desire to establish a more secure ecosystem that can support large-scale deployments and services.
In the past, the implementation of IoT security measures has lagged behind the rapid pace of digital transformation. However, there is now a pressing need across the industry to address this issue.
Security is of paramount importance in every connected application. All Arduino connected products, even the entry level ones, have secure elements to ensure maximum protection to the users. We believe security is a fundamental prerequisite for IoT. On the high end products, starting with Portenta X8, that combines MCU and MPU, we immediately adopted PSA Certified (originally spearheaded by Arm) to deliver top notch robustness along with Arduino’s traditional with the ease of use. For us, security cannot be an afterthought.
#6: Software Collaboration Will Become Essential
As the industry gets ready for regulation, it is becoming clear that manufacturers need to deploy products with the total cost of ownership (TCO) in mind throughout the devices’ intended lifetime. Some of the critical standard requirements emerging in regulation include ensuring that products are managed and receive software updates for an agreed-regulated time.
This creates new TCO challenges for the whole industry, as today, connected IoT products are built from a complex set of software components which come from multiple supply chain members. We will need to collaborate as an ecosystem to overcome the challenges to keep software components updated in a secure, scalable and cost-effective manner requires industry-wide collaboration.
From intelligent, AI-capable endpoint devices to autonomous systems, IoT developers are building a diverse ecosystem of products and services, only set to grow. In 2023, the number of IoT connected devices worldwide is projected to reach over 15 billion. However, despite widespread growth and innovation, fragmentation remains a challenge, with a huge variety of IoT devices across a range of markets. IoT device makers and developers need to port their software for every new product and every new market. This is limiting their ability to invest in differentiation, meaning a limited return on investment because companies are simply unable to scale. The good news is that industry players large and small are working together to create a consistent set of standards to address this fragmentation. This means 2023 will see the industry making major steps towards achieving the right balance of standardization and differentiation, allowing IoT developers to leverage existing software without worrying about compatibility issues, instead spending time and resources innovating their products and applications.
Looking Ahead to 2023
A common trend unites all the PSA Certified 2023 predictions: IoT security will continue to increase in importance, primarily driven by the continued rollout of regulation. We will continue to see the technology ecosystem embrace improving security.
In 2023, PSA Certified will continue to support the ecosystem with security adoption by providing a framework and comprehensive certification scheme aligned with the market needs and regulatory requirements. We’re proud that our growing set of free resources continues to guide security design and implementation, making security accessible. Our vision is for all connected devices to be built on an independently certified RoT and for all IoT devices to have provable security based on a common language. Achieving these goals will defragment the ecosystem and facilitate better collaboration and the continued success of the IoT.